Detecting unauthorized user actions

ABSTRACT

In some examples, a system for detecting unauthorized user actions can include a processor to identify a plurality of objects and at least one user event to be monitored. The processor can also map the plurality of objects and the at least one user event to separate hyperplanes of a multi-dimensional visualization and apply at least one force to the plurality of objects. Additionally, the processor can detect a malicious user based on a movement of at least one of the objects as a result of applying the at least one force, and execute a security command to prevent the malicious user from accessing data.

BACKGROUND

The present disclosure relates to monitoring the transmission of databetween users and storage locations, and more specifically, but notexclusively, to detecting unauthorized user actions.

SUMMARY

According to an embodiment described herein, a system for detectingunauthorized user actions can include a processor to identify aplurality of objects and at least one user event to be monitored. Insome examples, the processor can also map the plurality of objects andthe at least one user event to separate hyperplanes of amulti-dimensional visualization, and apply at least one force to theplurality of objects. Furthermore, the processor can detect a malicioususer based on a movement of at least one of the objects as a result ofapplying the at least one force and execute a security command toprevent the malicious user from accessing data.

In some embodiments, a method for detecting unauthorized user actionscan include identifying a plurality of objects and at least one userevent to be monitored and mapping the plurality of objects and the atleast one user event to separate hyperplanes of a multi-dimensionalvisualization. Additionally, the method can include applying at leastone force to the plurality of objects, detecting a malicious user basedon a movement of at least one of the objects as a result of applying theat least one force, and executing a security command to prevent themalicious user from accessing data.

In yet another embodiment, a computer program product for detectingunauthorized user actions can include a computer readable storage mediumhaving program instructions embodied therewith, wherein the computerreadable storage medium is non-transitory or not a transitory signal perse. The program instructions can be executable by a processor to causethe processor to identify a plurality of objects and at least one userevent to be monitored. The program instructions can also be executableby a processor to cause the processor to map the plurality of objectsand the at least one user event to separate hyperplanes of amulti-dimensional visualization, apply at least one force to theplurality of objects, and detect a malicious user based on a movement ofat least one of the objects as a result of applying the at least oneforce. Furthermore, the program instructions can be executable by aprocessor to cause the processor to execute a security command toprevent the malicious user from accessing data.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 depicts a block diagram of an example computing system that candetect unauthorized user actions according to an embodiment describedherein;

FIG. 2 is a process flow diagram of an example method that can detectunauthorized user actions according to an embodiment described herein;

FIG. 3 is an example of a multi-dimensional visualization with twohyperplanes indicating user actions;

FIG. 4 is a tangible, non-transitory computer-readable medium that candetect unauthorized user actions according to an embodiment describedherein;

FIG. 5 depicts an illustrative cloud computing environment according toan embodiment described herein; and

FIG. 6 depicts a set of functional abstraction layers provided by acloud computing environment according to an embodiment described herein.

DETAILED DESCRIPTION

Many users access data from various local and remote sources andtransmit data to any number of external sources. In some examples, thedata can include confidential or sensitive information. In embodimentsdescribed herein, techniques can detect and monitor unauthorized usersactions and prevent unauthorized access of data such as confidentialinformation.

In some embodiments described herein, a device can identify a pluralityof objects and at least one user event to be monitored. An object, asreferred to herein, can include any computing device such as a localdevice, database server, or email server, among others, or any user orset of users. A user event can include any action performed by a usersuch as accessing a database, transmitting an email, accessing filesfrom a device, and the like.

In some embodiments, a device can map the plurality of objects and theat least one user event to separate hyperplanes of a multi-dimensionalvisualization. A hyperplane, as referred to herein, can include anybounded two-dimensional space that includes representations of theobjects of a same type. For example, users can be mapped locationswithin a first hyperplane and database servers can be mapped tolocations within a second hyperplane. Additionally, the device can applyat least one force to the plurality of objects, and detect a malicioususer based on a movement of at least one of the objects as a result ofapplying the at least one force. For example, if the force results in auser moving away from other users in a hyperplane due to accessing adatabase or transmitting data to a particular location, the user can beidentified as a malicious user. In some embodiments, the device canidentify a user as a malicious user based on a movement of a user withina hyperplane in addition to actions or screenshots of previous locationsof the user. For example, if a force results in a user moving away fromother users in a hyperplane due to accessing a database or transmittingdata to a particular location, the user can be identified as suspiciousand the location movement of the user together with previous useractions or screenshots of previous user actions can be analyzed todetermine if the user has been mistakenly identified as a malicioususer. Furthermore, the device can execute a security command to preventthe malicious user from accessing data.

Accordingly, the techniques described herein can prevent unauthorizedaccess to data based on a location of a user within a hyperplane. Forexample, the techniques described herein can provide a visualization toidentify malicious users and prevent a malicious user from receivingconfidential information or performing an unauthorized action withconfidential information.

With reference now to FIG. 1, an example computing device is depictedthat can detect unauthorized user actions. The computing device 100 maybe for example, a server, desktop computer, laptop computer, tabletcomputer, or smartphone. In some examples, computing device 100 may be acloud computing node. Computing device 100 may be described in thegeneral context of computer system executable instructions, such asprogram modules, being executed by a computer system. Generally, programmodules may include routines, programs, objects, components, logic, datastructures, and so on that perform particular tasks or implementparticular abstract data types. Computing device 100 may be practiced indistributed cloud computing environments where tasks are performed byremote processing devices that are linked through a communicationsnetwork. In a distributed cloud computing environment, program modulesmay be located in both local and remote computer system storage mediaincluding memory storage devices.

The computing device 100 may include a processor 102 that is adapted toexecute stored instructions, a memory device 104 to provide temporarymemory space for operations of said instructions during operation. Theprocessor can be a single-core processor, multi-core processor,computing cluster, or any number of other configurations. The memory 104can include random access memory (RAM), read only memory, flash memory,or any other suitable memory systems.

The processor 102 may be connected through a system interconnect 106(e.g., PCI®, PCI-Express®, etc.) to an input/output (I/O) deviceinterface 108 adapted to connect the computing device 100 to one or moreI/O devices 110. The I/O devices 110 may include, for example, akeyboard and a pointing device, wherein the pointing device may includea touchpad or a touchscreen, among others. The I/O devices 110 may bebuilt-in components of the computing device 100, or may be devices thatare externally connected to the computing device 100.

The processor 102 may also be linked through the system interconnect 106to a display interface 112 adapted to connect the computing device 100to a display device 114. The display device 114 may include a displayscreen that is a built-in component of the computing device 100. Thedisplay device 114 may also include a computer monitor, television, orprojector, among others, that is externally connected to the computingdevice 100. In addition, a network interface controller (NIC) 116 may beadapted to connect the computing device 100 through the systeminterconnect 106 to the network 118. In some embodiments, the NIC 116can transmit data using any suitable interface or protocol, such as theInternet small computer system interface, among others. The network 118may be a cellular network, a radio network, a wide area network (WAN), alocal area network (LAN), or the Internet, among others. A remote server120 may connect to the computing device 100 through the network 118.

The processor 102 may also be linked through the system interconnect 106to a storage device 122 that can include a hard drive, an optical drive,a USB flash drive, an array of drives, or any combinations thereof. Insome examples, the storage device 122 may include an object manager 124,a visualization manager 126, a force manager 128, a malicious usermanager 130, and a command manager 132. In some embodiments, the objectmanager 124 can identify a plurality of objects and at least one userevent to be monitored. In some embodiments, the visualization manager126 can map the plurality of objects and the at least one user event toseparate hyperplanes of a multi-dimensional visualization. In someembodiments, the force manager 128 can apply at least one force to theplurality of objects. In some embodiments, the malicious user manager130 can detect a malicious user based on a movement of at least one ofthe objects as a result of applying the at least one force. In someembodiments, the command manager 132 can execute a security command toprevent the malicious user from accessing data.

It is to be understood that the block diagram of FIG. 1 is not intendedto indicate that the computing device 100 is to include all of thecomponents shown in FIG. 1. Rather, the computing device 100 can includefewer or additional components not illustrated in FIG. 1 (e.g.,additional memory components, embedded controllers, modules, additionalnetwork interfaces, etc.). Furthermore, any of the functionalities ofthe object manager 124, visualization manager 126, force manager 128,malicious user manager 130, and command manager 132 may be partially, orentirely, implemented in hardware and/or in the processor 102. Forexample, the functionality may be implemented with an applicationspecific integrated circuit, logic implemented in an embeddedcontroller, or in logic implemented in the processor 102, among others.In some embodiments, the functionalities of the object manager 124,visualization manager 126, force manager 128, malicious user manager130, and command manager 132 can be implemented with logic, wherein thelogic, as referred to herein, can include any suitable hardware (e.g., aprocessor, among others), software (e.g., an application, among others),firmware, or any suitable combination of hardware, software, andfirmware.

FIG. 2 is a process flow diagram of an example method that can detectunauthorized user actions. The method 200 can be implemented with anysuitable computing device, such as the computing device 100 of FIG. 1.

At block 202, an object manager 124 can identify a plurality of objectsand at least one user event to be monitored. In some embodiments, theplurality of objects comprise a set of users and a set of databasesaccessed by the set of users. In some examples, the objects cancorrespond to any suitable email server, computing device, database,groups of users, source applications performing an event, and the like.The event can include any suitable user action such as accessing adatabase, transmitting an email to an external location, a type ofcommand performed with an object, such as an insert command, deletecommand, or update command, or accessing a local file or a remote file,among others.

In some embodiments, the object manager 124 can detect the transmissionof data between a user or a local device and a database, email server,or the like, from a web browser, an application installed within a webbrowser such as a browser add-on, or from a remote database server. Forexample, the object manager 124 can reside on a remote server thatprocesses database access requests. In some examples, the remote servercan be an email server, among others. In some embodiments, the objectmanager 124 can reside in any suitable application and can monitor dataaccessed by a user or a device and monitor data transmitted from theuser or the device to an external source. For example, the objectmanager 124 can detect a data query transmitted from a user to anynumber of external databases.

In some embodiments, the object manager 124 can hook into event calls ormodify an operating system to detect a transmission of data from a localdevice to an external device. In some examples, the object a manager 124can monitor, at a kernel level of the operating system, a plurality ofsystem calls involving locally stored data and files. In someembodiments, hooking into an event call can include inserting hooks intoa process that enables an application or operating system to interceptfunctions calls, messages, or events, among others, passed betweenvarious software components. For example, hooking into an event call canenable an application or process to intercept keyboard or mouse eventmessages before the keyboard or mouse messages reach an application. Insome embodiments, the object manager 124 can modify an operating systemto load an additional library module or modify the import table of anexecutable, which can enable the object manager 124 to detect any datatransmitted to an external or remote source.

At block 204, a visualization manager 126 can map the plurality ofobjects and the at least one user event to separate hyperplanes of amulti-dimensional visualization. A hyperplane, as referred to herein,can include any suitable bounded two-dimensional plane corresponding toa set of objects of the same type. For example, a hyperplane can depictlocations of users in a bounded two-dimensional plane, a set ofdatabases accessed by users in the bounded two-dimensional plane, andthe like. In some embodiments, the multi-dimensional visualizationcomprises a connecting line between two objects in separate hyperplanesinvolved in the at least one user event. For example, the visualizationmanager 126 can generate a line connecting a user in a first hyperplaneto a database in a second hyperplane in response to detecting that theuser has performed an event involving the database such as accessing thedatabase, submitting a query to the database, or retrieving data fromthe database, among others. In some embodiments, the visualizationmanager 126 can modify a color, a size, a shape, or a line weight in themulti-dimensional visualization to indicate a different frequency of theat least one user event. In some examples, the multi-dimensionalvisualization can include any suitable number of hyperplanes. Forexample, the multi-dimensional visualization can include a hyperplanedepicting a set of users, a hyperplane depicting databases accessed bythe users, and a hyperplane depicting files in remote storage locationsaccessed by the users, among others. In some examples, an initiallocation of an object in a hyperplane can be arbitrary and the locationof the object can be modified based on forces described below inrelation to block 206.

In some embodiments, the visualization manager 126 can group users in ahyperplane based on user behavior of users with a shared authorizationlevel. For example, the visualization manager 126 can detect anysuitable number of characteristics associated with an authorizationlevel of each user. In some examples, the visualization manager 126 usesa data structure, such as a binary tree, vector, linked list, array, andthe like, to store characteristics for each user. In some embodiments,the characteristics for each user can indicate a hierarchicalrelationship within a group of users. In some embodiments, thecharacteristics associated with each user can indicate whether a userhas permission to access data from a local device or a remote devicethat hosts data, a file name corresponding to the data, a creation dateof the data on a host device, a user or a group of users withadministrative access to the data on the host device, and the like. Insome examples, each hyperplane can include locations of users with acommon authorization level.

At block 206, a force manager 128 can apply at least one force to theplurality of objects. In some embodiments, a force can be applied toobjects depicted in one of two hyperplanes. In some examples, the forcemanager 128 can apply a force to an object based on a sum of attractionof a plurality of objects to a center of activity in the separatehyperplanes. In some embodiments, the center of activity includes aweighted average of the objects in one of the separate hyperplanes. Insome embodiments, the force manager 128 can apply a force based on arepulsion of an object from additional objects within a predetermineddistance. In some examples, the force manager 128 can apply a forcebased on a repulsion from a border of the separate hyperplanes. Therepulsion from a border can prevent an object from drifting away fromanother object and beyond a border of a hyperplane. In some embodiments,the repulsion is based on an electrostatic repulsion force.

In some embodiments, a first hyperplane can correspond to databases anda second hyperplane can correspond to database users who access thedatabases. In one example, Equation 1 below can indicate forces appliedon each database user:{right arrow over (F)} _(obj) ^(i)=(c _(pp)){right arrow over (F)} _(pp)^(i) +{right arrow over (F)} _(ng) ^(i) +{right arrow over (F)} _(b)^(i)  Eq. 1

In some embodiments, Cpp can be a predetermined constant or factor thatcontrols an amount of influence of the center of activity of an objecton a hyperplane. The variables Fpp, Fng, and Fb are described in greaterdetail below in relation to Equations 2, 3, and 4. In some embodiments,the forces of Equation 1 can also be applied to objects such asdatabases, among others. As illustrated below in Equation 2, F_(pp)represents the total attraction force applied on a user by objects ofanother hyperplane such as databases, among others.{right arrow over (F)} _(pp) ^(i) =β{right arrow over (F)}_(new)+(1−β){right arrow over (F)} _(pp) ^(i−1)  Eq. 2

In Equation 2, the force is updated on each user action corresponding toa database. The variable F_(new) represents the attraction forcedirected towards the position of that database. Using an exponentialdecay formula, the total force can be updated by adding the influence ofthe new action, which gets a more substantial weight than older actions.In some examples, the beta variable, B, can indicate the strength of theforce or effect for the new action relative to the influence ofhistorical actions. In some examples, the beta variable is apredetermined constant that can be used to adjust a weight given tohistoric events. In some examples, the beta variable can be adjusted bya system administration application prior to runtime. In one example, adatabase user which has 20% of activity with database “C”, 20% ofactivity using database “D”, and 60% of activity with database “E”, canbe depicted based on an attraction to the average position between thedatabase locations of databases C, D, and E, which can be weighted bythe relative volume of the activity. In some embodiments, techniquesdescribed herein include exponential decay (as described in Eq. 2),which enables a device to “forget” older events or user actions while“remembering” more recent events or user actions without explicitlymaintaining or storing a copy of the entire historic events.

In some embodiments, F_(ng) of Equation 1 represents the summation ofthe repulsion force applied on an object (i) by each of the object'sneighbors, which are the same type of object. Due to the fact that theobjects of the same type are considered identical in their physicalattributes such as mass, electric charge, and the like, the non-changingparts can be replaced with a constant k′ as illustrated below inrelation to Equation 3.

$\begin{matrix}{{\overset{\rightarrow}{F}}_{ng}^{i} = {\sum\limits_{j = {1{({j \neq i})}}}^{n}{\frac{k^{\prime}}{{dist}\mspace{11mu}\left( {i,j} \right)^{2}}{\hat{r}}_{ij}}}} & {{Eq}.\mspace{14mu} 3}\end{matrix}$

In Equation 3, the variable r_(ij) corresponds to a directional vectorwhich stores the direction between the objects i and j. Additionally,the variable n represents the number of neighbors. In some embodiments,Fng represents a repulsion force applied on an object based on anelectrostatic repulsion force such as Coulomb's law.

In some embodiments, F_(b) of Equation 4 below represents a forceapplied on each object in order to constrain the object's movement in atwo-dimensional space. For example, a border of the two-dimensionalspace of a hyperplane can be represented in an x direction as bx₀ to bx₁and a y direction as by₀ to by₁. In some embodiments, k″ can be definedas a combination of physical values such as mass, Coulomb's constant,and the like.

$\begin{matrix}{{\overset{\rightarrow}{F}}_{b}^{i} = {{\frac{k^{''}}{{{x_{i} - {bx}_{0}}}^{2}}\hat{x}} + {\frac{k^{''}}{{{x_{i} - {bx}_{1}}}^{2}}} + {\frac{k^{''}}{{{y_{i} - {by}_{0}}}^{2}}\hat{x}} + {\frac{k^{''}}{{{y_{i} - {by}_{1}}}^{2}}}}} & {{Eq}.\mspace{14mu} 4}\end{matrix}$

In some embodiments, a balance between the constants c_(pp), k′ and k″can tune the influence of each of the forces on the total force appliedon an object. In each time step, the new speed (v_(i)) for each objectcan be calculated according to the total force (F^(i) _(obj)), andaccording to a velocity that the change in possession is calculated. Forexample, the velocity can correspond to a speed that a position of anobject is changing as a result of a force. In some examples, Fbrepresents an electrostatic repulsion force applied as a sum of singledimensional border forces on an object based on a perpendiculardistance.

At block 208, a malicious user manager 130 can detect a malicious userbased on a movement of at least one of the objects as a result ofapplying the at least one force. For example, the malicious user manager130 can detect if a user is located proximate a group of users in afirst hyperplane and forces move the user away from the proximate groupof users in response to user actions. For example, the user may attemptto access a database that is not accessed by the proximate group ofusers, transmit data to a source that is not accessed by the proximategroup of users, access files that are not accessed by the proximategroup of users, and the like. In some embodiments, the malicious usermanager 130 can identify a user as a malicious user in response todetecting that the user has moved more than a predetermined distancefrom additional users or groups of users with similar characteristics.The characteristics can include the databases, files, email servers, andexternal sources that are accessed by the users.

At block 210, a command manager 132 can execute a security command toprevent the malicious user from accessing data. In some embodiments, thecommand manager 132 can block the malicious user from accessing adatabase. The command manager 132 can also generate an alert that themalicious user is unauthorized to access a database. Additionally, thecommand manager 132 can modify access rights for malicious user. In someexamples, the command manager 132 can mask or redact information byreplacing the sensitive information with pseudorandom alphanumericcharacters. In some embodiments, the command manager 132 can log eachuser action of a malicious user for further investigation or auditing.

The process flow diagram of FIG. 2 is not intended to indicate that theoperations of the method 200 are to be executed in any particular order,or that all of the operations of the method 200 are to be included inevery case.

FIG. 3 is an example of a multi-dimensional visualization with twohyperplanes indicating user actions. The example multi-dimensionalvisualization 300 of FIG. 3 can be generated with any suitable computingdevice, such as the computing device 100 of FIG. 1. In some examples,the user actions can include authorized and unauthorized actions.

In some embodiments, the multi-dimensional visualization 300 can includeany suitable number of hyperplanes such as hyperplanes 302 and 304. Inone example, hyperplane 302 can indicate locations of objects 306, suchas users, and hyperplane 304 can indicate locations of databases 308accessed by the users. In some examples, the locations of the users 306of hyperplane 302 and locations of the databases 308 of hyperplane 304can be calculated based on Equations 1-4 discussed above in relation toFIG. 2. In some examples, each user 306 in hyperplane 302 can be mappedto one or more objects or databases 308 in hyperplane 304. For example,a user who accesses two databases may be mapped to the two databases inhyperplane 304. In some embodiments, a multi-dimensional visualization300 can be stored based on a predetermined period of time. Eachmulti-dimensional visualization 300 can be analyzed in a combinationwith a movement of locations of users 306 in hyperplane 302. Forexample, as a user moves away from additional users in hyperplane 302over time, the user can be designated as a malicious user.

The multi-dimensional visualization 300 of FIG. 3 is intended as anexample and can include fewer or additional objects in hyperplanes 302and 304. Additionally, the multi-dimensional visualization 300 caninclude any suitable number of additional hyperplanes.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical functions. In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

Referring now to FIG. 4, a block diagram is depicted of an example of atangible, non-transitory computer-readable medium that can detectunauthorized user actions. The tangible, non-transitory,computer-readable medium 400 may be accessed by a processor 402 over acomputer interconnect 404.

Furthermore, the tangible, non-transitory, computer-readable medium 400may include code to direct the processor 402 to perform the operationsof the current method. For example, an object manager 406 can identify aplurality of objects and at least one user event to be monitored. Insome embodiments, a visualization manager 408 can map the plurality ofobjects and the at least one user event to separate hyperplanes of amulti-dimensional visualization. In some embodiments, a force manager410 can apply at least one force to the plurality of objects. In someembodiments, a malicious user manager 412 can detect a malicious userbased on a movement of at least one of the objects as a result ofapplying the at least one force. In some embodiments, a command manager414 can execute a security command to prevent the malicious user fromaccessing data.

It is to be understood that any number of additional software componentsnot shown in FIG. 4 may be included within the tangible, non-transitory,computer-readable medium 400, depending on the specific application.Furthermore, fewer software components than those shown in FIG. 4 can beincluded in the tangible, non-transitory, computer-readable medium 400.

Referring now to FIG. 5, illustrative cloud computing environment 500 isdepicted. As shown, cloud computing environment 500 comprises one ormore cloud computing nodes 502 with which local computing devices usedby cloud consumers, such as, for example, personal digital assistant(PDA) or cellular telephone 504A, desktop computer 504B, laptop computer504C, and/or automobile computer system 504N may communicate. Nodes 502may communicate with one another. They may be grouped (not shown)physically or virtually, in one or more networks, such as Private,Community, Public, or Hybrid clouds as described hereinabove, or acombination thereof. This allows cloud computing environment 500 tooffer infrastructure, platforms and/or software as services for which acloud consumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 504A-Nshown in FIG. 5 are intended to be illustrative only and that computingnodes 502 and cloud computing environment 500 can communicate with anytype of computerized device over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 6, a set of functional abstraction layers providedby cloud computing environment 500 (FIG. 5) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 6 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided.

Hardware and software layer 600 includes hardware and softwarecomponents. Examples of hardware components include mainframes, in oneexample IBM® zSeries® systems; RISC (Reduced Instruction Set Computer)architecture based servers, in one example IBM pSeries® systems; IBMxSeries® systems; IBM BladeCenter® systems; storage devices; networksand networking components. Examples of software components includenetwork application server software, in one example IBM WebSphere®application server software; and database software, in one example IBMDB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter,WebSphere, and DB2 are trademarks of International Business MachinesCorporation registered in many jurisdictions worldwide).

Virtualization layer 602 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients. In oneexample, management layer 604 may provide the functions described below.Resource provisioning provides dynamic procurement of computingresources and other resources that are utilized to perform tasks withinthe cloud computing environment. Metering and Pricing provide costtracking as resources are utilized within the cloud computingenvironment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provide pre-arrangement for, and procurement of, cloudcomputing resources for which a future requirement is anticipated inaccordance with an SLA.

Workloads layer 606 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and detecting unauthorized user actions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

What is claimed is:
 1. A system for detecting unauthorized user actionscomprising: a processor; a network interface for communication betweenthe processor and a network, the processor to: map a plurality ofobjects representing entities in a computing environment to separatehyperplanes of a multi-dimensional visualization; virtually apply atleast one force to the plurality of objects to cause motion of theobjects within the visualization; update the force applied based on useractions in the computing environment; detect a malicious user based on amovement of at least one of the objects in the multi-dimensionalvisualization as a result of applying the at least one force; andexecute a security command to prevent the malicious user from accessingdata.
 2. The system of claim 1, wherein the plurality of objectscomprise a set of users and a set of resources accessed by the set ofusers.
 3. The system of claim 1, wherein the multi-dimensionalvisualization comprises a connecting line between two objects inseparate hyperplanes involved in a user action.
 4. The system of claim1, wherein the processor is to modify an appearance of an object in themulti-dimensional visualization based on a frequency of user actionsinvolving that object.
 5. The system of claim 1, wherein the forceapplied is based on a sum of attraction of a plurality of objects to acenter of activity in the separate hyperplanes.
 6. The system of claim5, wherein the center of activity comprises a weighted average of theobjects in one of the separate hyperplanes.
 7. The system of claim 1,wherein the force applied comprises a repulsion of one of the pluralityof objects from additional objects within a predetermined distance. 8.The system of claim 1, wherein the force applied comprises a repulsionfrom a border of the separate hyperplanes.
 9. The system of claim 8,wherein the repulsion is modeled on an electrostatic repulsion force.10. The system of claim 1, wherein the security command comprisesblocking the malicious user from accessing a database, generating analert that the malicious user is unauthorized to access a database, ormodifying access rights for the malicious user.
 11. A method fordetecting unauthorized user actions in a computing environment, themethod comprising: mapping a plurality of objects representing entitiesin a computing environment to separate hyperplanes of amulti-dimensional visualization; virtually applying at least one forceto the plurality of objects to cause motion of the objects within thevisualization; updating the force applied based on user actions in thecomputing environment; detecting a malicious user based on a movement ofat least one of the objects in the multi-dimensional visualization as aresult of applying the at least one force; and executing a securitycommand to prevent the malicious user from accessing data.
 12. Themethod of claim 11, wherein the plurality of objects comprise a set ofusers and a set of resources accessed by the set of users.
 13. Themethod of claim 11, wherein the multi-dimensional visualizationcomprises a connecting line between two objects in separate hyperplanesinvolved in a user action.
 14. The method of claim 11, furthercomprising modifying an appearance of an object in the multi-dimensionalvisualization based on a frequency of user actions involving thatobject.
 15. The method of claim 11, wherein the security commandcomprises blocking the malicious user from accessing a database,generating an alert that the malicious user is unauthorized to access adatabase, or modifying access rights for the malicious user.
 16. Acomputer program product for detecting unauthorized user actions, thecomputer program product comprising a non-transitory computer readablestorage medium having program instructions embodied therewith, theprogram instructions executable by a processor to cause the processorto: map a plurality of objects representing entities in a computingenvironment to separate hyperplanes of a multi-dimensionalvisualization; virtually apply at least one force to the plurality ofobjects to cause motion of the objects within the visualization; updatethe force applied based on user actions in the computing environment;detect a malicious user based on a movement of at least one of theobjects in the multi-dimensional visualization as a result of applyingthe at least one force; and execute a security command to prevent themalicious user from accessing data.
 17. The computer program product ofclaim 16, wherein the plurality of objects comprise a set of users and aset of databases accessed by the set of users.
 18. The computer programproduct of claim 16, wherein the multi-dimensional visualizationcomprises a connecting line between two objects in separate hyperplanesinvolved in a user action.
 19. The computer program product of claim 16,wherein the processor is to modify an appearance of an object in themulti-dimensional visualization based on a frequency of user actionsinvolving that object.
 20. The computer program product of claim 16,wherein the force applied is modeled on an electrostatic repulsionforce.